If the post was edited I am sorry. Not sure exactly what happened, it certainly wasn't intentional and it shouldn't have been run again since it had been run before. It must have remained on the system from the first run because it wouldn't have been noted in the log if it had been uninstalled. The quarantine from that run doesn't remain does it? It sure would be nice to see that log to see what was removed then.
Go ahead and restore the one you found from the 24th.. Maybe we can start over.
derek68 0 Light Poster
How do I restore it...do I just click on the tcpip.reg file? When I do it asks me if I want to add the information to the regstry. Do I go ahead and click yes?
Regarding the combofix log I have that from the 27th but not the quarantine list.
jholland1964 650 Posting Expert Team Colleague Featured Poster
I need to see that log from the 27th before you do anything. I am truly sorry about those instructions for Combofix appearing in your post, however, it never would have been requested, even by accident, and I am still not certain how that happened, if it was known the program had all ready been run, especially without having first removed the previous one then that would not even have been on the list of considerations, though I honestly don't recall that it was, but somehow it got there.
This is only one of the reasons that Combofix is never supposed to be used without a helper telling you to use it. One reason is that it is only for very specific infections and use for another not covered by the tool may cause serious problems. Another reason is there are special steps that sometimes are needed AFTER the first run and it is used again for those steps but unless you know how to do those steps, and do them correctly, only part of an infection is removed.
For the latest run did you use the copy of the program that you used on the 27th, which would have made it way out of date, or did you download a new copy and run that? It is updated extremely often, sometimes multiple times a day, that is why the only legal download page is only good for downloading for 10 minutes after you arrive there and has the timer that clicks down.
Post that log from the 27th.
Edited by jholland1964 because: n/a
derek68 0 Light Poster
I downlaoded and used the latest...not the one from the 27th. Following are two combofix logs from the 27th:
ComboFix 11-02-27.01 - Wolf 02/27/2011 16:23:00.5.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2751 [GMT -5:00]
Running from: c:\documents and settings\Wolf\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.
2011-02-27 10:11 . 2011-02-27 10:11 -------- d-----w- c:\windows\LastGood.Tmp
2011-02-26 15:57 . 2011-02-26 15:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-26 14:16 . 2011-02-26 14:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-02-25 10:20 . 2011-02-25 10:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-02-13 17:46 . 2011-02-13 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2011-02-13 17:46 . 2011-02-13 17:46 -------- d-----w- c:\program files\Security Task Manager
2011-02-13 14:56 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-02-13 14:56 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-02-13 14:56 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-02-13 14:56 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-02-13 14:56 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-02-13 14:56 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-02-13 14:56 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-02-11 13:54 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-02-11 13:54 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-02-11 13:52 . 2010-02-16 17:35 2143744 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-02-11 13:52 . 2010-02-16 17:37 2186880 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-02-11 13:52 . 2010-02-17 16:57 2063744 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-02-11 13:52 . 2010-02-16 16:57 2021888 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-02-11 02:39 . 2004-08-10 09:13 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2011-02-11 02:39 . 2004-08-10 09:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2011-02-11 02:39 . 2004-08-10 09:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2011-02-11 02:39 . 2004-08-10 09:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2011-02-11 02:39 . 2004-08-10 09:13 61440 -c--a-w- c:\windows\system32\dllcache\ehreschs.dll
2011-02-11 02:39 . 2004-08-10 11:00 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2011-02-11 02:37 . 2004-08-10 11:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdfa.dll
2011-02-11 02:36 . 2004-08-10 11:00 4639 -c--a-w- c:\windows\system32\dllcache\mplayer2.exe
2011-02-11 00:59 . 2004-08-10 11:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-02-11 00:59 . 2004-08-10 11:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-02-11 00:59 . 2004-08-10 11:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-02-11 00:59 . 2004-08-10 11:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-02-11 00:59 . 2006-03-30 10:03 22339 ----a-r- c:\windows\SET218.tmp
2011-02-11 00:59 . 2005-03-30 17:54 10559 ----a-r- c:\windows\SET219.tmp
2011-02-11 00:59 . 2004-08-10 11:00 13753 ----a-r- c:\windows\SET1D5.tmp
2011-02-11 00:59 . 2004-08-10 11:00 1086058 ----a-r- c:\windows\SET1C9.tmp
2011-02-11 00:59 . 2004-08-10 11:00 106147 ----a-r- c:\windows\SET1C6.tmp
2011-02-10 23:54 . 2011-02-10 23:54 -------- d-----w- C:\$WIN_NT$.~BT
2011-02-10 21:54 . 2011-02-10 21:54 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-10 21:47 . 2011-02-10 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-02-10 21:05 . 2011-02-10 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\bKhJcMk05200
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((( SnapShot_2011-02-26_15.13.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-02-18 13:18 . 2010-12-20 23:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-02-18 13:18 . 2010-04-29 20:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2010-02-18 13:18 . 2010-12-20 23:08 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-02-18 13:18 . 2010-04-29 20:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2011-02-27 10:11 . 2010-09-07 08:48 26064 c:\windows\LastGood.Tmp\system32\DRIVERS\avgrkx86.sys
+ 2011-02-27 10:11 . 2010-09-07 08:48 34384 c:\windows\LastGood.Tmp\system32\DRIVERS\avgmfx86.sys
+ 2011-02-27 10:11 . 2010-08-03 20:23 26192 c:\windows\LastGood.Tmp\system32\DRIVERS\AVGIDSShim.sys
+ 2011-02-27 10:11 . 2010-08-03 20:23 30288 c:\windows\LastGood.Tmp\system32\DRIVERS\AVGIDSFilter.sys
+ 2011-02-27 10:11 . 2010-09-13 20:27 25680 c:\windows\LastGood.Tmp\system32\DRIVERS\AVGIDSEH.sys
+ 2011-02-27 10:11 . 2010-11-12 18:19 299984 c:\windows\LastGood.Tmp\system32\DRIVERS\avgtdix.sys
+ 2011-02-27 10:11 . 2010-12-08 09:12 251728 c:\windows\LastGood.Tmp\system32\DRIVERS\avgldx86.sys
+ 2011-02-27 10:11 . 2010-08-03 20:23 123472 c:\windows\LastGood.Tmp\system32\DRIVERS\AVGIDSDriver.sys
- 2006-08-08 05:22 . 2011-02-13 14:28 37443528 c:\windows\system32\MRT.exe
+ 2006-08-08 05:22 . 2011-02-04 22:34 37443528 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wolf\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wolf\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wolf\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]
c:\documents and settings\Wolf\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Wolf\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2007-5-7 118784]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-11 05:26 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk
backup=c:\windows\pss\Directrec Configuration Tool.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-12-12 18:46 19456 ----a-w- c:\windows\system32\CtHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-03-02 09:00 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 17:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 17:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 12:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2007-11-02 16:59 31816 ----a-w- c:\program files\Citrix\GoToMeeting\198\g2mstart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 09:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-06-17 12:56 139264 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-18 22:00 8192 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-26 17:31 1242448 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-13 18:55 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ----a-w- c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"MSK80Service"=2 (0x2)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"GoToAssist"=3 (0x3)
"DM1Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\s3arav3n\\half-life 2 deathmatch\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Documents and Settings\\Wolf\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Wolf\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2010 10:00 AM 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; [x]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 7:46 AM 284016]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [11/26/2010 4:15 PM 24576]
.
Contents of the 'Scheduled Tasks' folder
2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 15:00]
2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 15:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hgtv.com/hgtv-dream-home-2011-giveaway-enter/package/index.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
FF - ProfilePath - c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\csnh7ey1.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-27 16:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(296)
c:\windows\system32\WININET.dll
c:\documents and settings\Wolf\Application Data\Dropbox\bin\DropboxExt.13.dll
.
Completion time: 2011-02-27 16:33:34
ComboFix-quarantined-files.txt 2011-02-27 21:33
ComboFix2.txt 2011-02-27 17:33
ComboFix3.txt 2011-02-26 15:17
ComboFix4.txt 2010-02-19 23:40
Pre-Run: 51,211,735,040 bytes free
Post-Run: 51,218,739,200 bytes free
- - End Of File - - A97ADE60A026A5E9B4831533070BD5BC
ComboFix 11-02-27.01 - Wolf 02/27/2011 16:23:00.5.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2751 [GMT -5:00]
Running from: c:\documents and settings\Wolf\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.
2011-02-27 10:11 . 2011-02-27 10:11 -------- d-----w- c:\windows\LastGood.Tmp
2011-02-26 15:57 . 2011-02-26 15:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-02-26 14:16 . 2011-02-26 14:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-02-25 10:20 . 2011-02-25 10:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-02-13 17:46 . 2011-02-13 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2011-02-13 17:46 . 2011-02-13 17:46 -------- d-----w- c:\program files\Security Task Manager
2011-02-13 14:56 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-02-13 14:56 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-02-13 14:56 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-02-13 14:56 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-02-13 14:56 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-02-13 14:56 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2011-02-13 14:56 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-02-11 13:54 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-02-11 13:54 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-02-11 13:52 . 2010-02-16 17:35 2143744 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-02-11 13:52 . 2010-02-16 17:37 2186880 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-02-11 13:52 . 2010-02-17 16:57 2063744 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-02-11 13:52 . 2010-02-16 16:57 2021888 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-02-11 02:39 . 2004-08-10 09:13 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2011-02-11 02:39 . 2004-08-10 09:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2011-02-11 02:39 . 2004-08-10 09:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2011-02-11 02:39 . 2004-08-10 09:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2011-02-11 02:39 . 2004-08-10 09:13 61440 -c--a-w- c:\windows\system32\dllcache\ehreschs.dll
2011-02-11 02:39 . 2004-08-10 11:00 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2011-02-11 02:37 . 2004-08-10 11:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdfa.dll
2011-02-11 02:36 . 2004-08-10 11:00 4639 -c--a-w- c:\windows\system32\dllcache\mplayer2.exe
2011-02-11 00:59 . 2004-08-10 11:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-02-11 00:59 . 2004-08-10 11:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-02-11 00:59 . 2004-08-10 11:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-02-11 00:59 . 2004-08-10 11:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-02-11 00:59 . 2006-03-30 10:03 22339 ----a-r- c:\windows\SET218.tmp
2011-02-11 00:59 . 2005-03-30 17:54 10559 ----a-r- c:\windows\SET219.tmp
2011-02-11 00:59 . 2004-08-10 11:00 13753 ----a-r- c:\windows\SET1D5.tmp
2011-02-11 00:59 . 2004-08-10 11:00 1086058 ----a-r- c:\windows\SET1C9.tmp
2011-02-11 00:59 . 2004-08-10 11:00 106147 ----a-r- c:\windows\SET1C6.tmp
2011-02-10 23:54 . 2011-02-10 23:54 -------- d-----w- C:\$WIN_NT$.~BT
2011-02-10 21:54 . 2011-02-10 21:54 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-10 21:47 . 2011-02-10 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-02-10 21:05 . 2011-02-10 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\bKhJcMk05200
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((( SnapShot_2011-02-26_15.13.38 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-02-18 13:18 . 2010-12-20 23:09 38224 c:\windows\system32\drivers\mbamswissarmy.sys
+ 2010-02-18 13:18 . 2010-04-29 20:39 38224 c:\windows\system32\drivers\mbamswissarmy.sys
- 2010-02-18 13:18 . 2010-12-20 23:08 20952 c:\windows\system32\drivers\mbam.sys
+ 2010-02-18 13:18 . 2010-04-29 20:39 20952 c:\windows\system32\drivers\mbam.sys
+ 2011-02-27 10:11 . 2010-09-07 08:48 26064 c:\windows\LastGood.Tmp\system32\DRIVERS\avgrkx86.sys
+ 2011-02-27 10:11 . 2010-09-07 08:48 34384 c:\windows\LastGood.Tmp\system32\DRIVERS\avgmfx86.sys
+ 2011-02-27 10:11 . 2010-08-03 20:23 26192 c:\windows\LastGood.Tmp\system32\DRIVERS\AVGIDSShim.sys
+ 2011-02-27 10:11 . 2010-08-03 20:23 30288 c:\windows\LastGood.Tmp\system32\DRIVERS\AVGIDSFilter.sys
+ 2011-02-27 10:11 . 2010-09-13 20:27 25680 c:\windows\LastGood.Tmp\system32\DRIVERS\AVGIDSEH.sys
+ 2011-02-27 10:11 . 2010-11-12 18:19 299984 c:\windows\LastGood.Tmp\system32\DRIVERS\avgtdix.sys
+ 2011-02-27 10:11 . 2010-12-08 09:12 251728 c:\windows\LastGood.Tmp\system32\DRIVERS\avgldx86.sys
+ 2011-02-27 10:11 . 2010-08-03 20:23 123472 c:\windows\LastGood.Tmp\system32\DRIVERS\AVGIDSDriver.sys
- 2006-08-08 05:22 . 2011-02-13 14:28 37443528 c:\windows\system32\MRT.exe
+ 2006-08-08 05:22 . 2011-02-04 22:34 37443528 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wolf\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wolf\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Wolf\Application Data\Dropbox\bin\DropboxExt.13.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]
c:\documents and settings\Wolf\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Wolf\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2007-5-7 118784]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-11 05:26 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Directrec Configuration Tool.lnk
backup=c:\windows\pss\Directrec Configuration Tool.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2006-12-12 18:46 19456 ----a-w- c:\windows\system32\CtHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-03-02 09:00 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 17:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 17:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 12:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2007-11-02 16:59 31816 ----a-w- c:\program files\Citrix\GoToMeeting\198\g2mstart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 09:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-06-17 12:56 139264 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-18 22:00 8192 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-11-26 17:31 1242448 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-13 18:55 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ----a-w- c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"MSK80Service"=2 (0x2)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"GoToAssist"=3 (0x3)
"DM1Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\s3arav3n\\half-life 2 deathmatch\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Documents and Settings\\Wolf\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Wolf\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/27/2010 10:00 AM 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; [x]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 7:46 AM 284016]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [11/26/2010 4:15 PM 24576]
.
Contents of the 'Scheduled Tasks' folder
2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 15:00]
2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-27 15:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hgtv.com/hgtv-dream-home-2011-giveaway-enter/package/index.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
FF - ProfilePath - c:\documents and settings\Wolf\Application Data\Mozilla\Firefox\Profiles\csnh7ey1.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-27 16:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
- - - - - - - > 'explorer.exe'(296)
c:\windows\system32\WININET.dll
c:\documents and settings\Wolf\Application Data\Dropbox\bin\DropboxExt.13.dll
.
Completion time: 2011-02-27 16:33:34
ComboFix-quarantined-files.txt 2011-02-27 21:33
ComboFix2.txt 2011-02-27 17:33
ComboFix3.txt 2011-02-26 15:17
ComboFix4.txt 2010-02-19 23:40
Pre-Run: 51,211,735,040 bytes free
Post-Run: 51,218,739,200 bytes free
- - End Of File - - A97ADE60A026A5E9B4831533070BD5BC
jholland1964 650 Posting Expert Team Colleague Featured Poster
Those aren't two different logs, they are the same log:
1.ComboFix 11-02-27.01 - Wolf 02/27/2011 16:23:00.5.2 - x86 NETWORK
2.ComboFix 11-02-27.01 - Wolf 02/27/2011 16:23:00.5.2 - x86 NETWORK
But there must be another because of this listing:
ComboFix3.txt 2011-02-26 15:17 showing a run before the 27th, on the 26th.
So, now I don't feel as bad about the instruction to run Combofix mistakenly being put into that post here, I will tell you why, because the damage likely was all ready done before the thread was created.
First of all the program from last year obviously wasn't uninstalled correctly, if it had been it references to it show here, and it does. When uninstalled properly the uninstall takes away all logs, quarantines, and the executable file itself.
Then I see that Combofix wasn't just run once before you created this thread and said nothing, it was run twice, once on the 26th and again on the 27th of February and then again here in this thread
ComboFix-quarantined-files.txt 2011-02-27 21:33
ComboFix2.txt 2011-02-27 17:33
ComboFix3.txt 2011-02-26 15:17
ComboFix4.txt 2010-02-19 23:40
And it never should have been run at all for two or four very good reasons depending on how you want to read it, 2 full security programs or 2 av programs and 2 firewalls enabled on the same machine:
Because all the logs show:
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
The instructions are very clear for the running of Combofix
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix. And they definitely DID. One of each would have been bad enough, but two of each, there is absolutely no way Combofix would work correctly it is absolutely impossible.
And the sad thing is you knew it and said nothing in your very first post.
I have gone back through this thread and read it multiple times and I have to be very honest,from your very first post here, no matter who had jumped in to help you, myself, crunchie, PhilliePhan, gerbil, any of us who regularly help here, would have been under a tremendous handicap because you have not been forthcoming with vital information until you were forced to be.
You made no mention whatsoever of having a problem removing AVG, until it showed as Enabled in the 1st log you posted, then you had no choice, because it showed and I asked you about it. And you had to have known it because you would have received the very same warning about AVG being enabled the first two times you ran Combofix before coming here. But you chose to say nothing. You also should have received warnings about McAfee also but since the program couldn't run correctly then maybe it didn't warn you, but I have no way of knowing because you didn't say anything about it.
You made no mention of having run Combofix before you made your original post until again, it showed in the log and I asked you about it.
You made no mention of having run Combofix more than once before you created your thread here until I showed you how additional runs would show in the log, then when you posted this last log, twice, it clearly shows that the program was run twice before coming here this time and removed incorrectly last year.
Honestly I am not sure what advice to give you now because I don't really know how to tell for sure what other damage has been done here. I don't want to cause any further damage by giving an instruction that would cause more damage.
I am going to ask the others to look at this and see what they think might be able to be done here.
So do nothing else until one of us posts here.
derek68 0 Light Poster
Ok...I will wait. I seriosly thought I had uninstalled AVG. Also, when I ran Combofix I disabled McAfee as much as it would allow which apparently is not at all.
I am not trying to hide anything. I assumed I could fix things myself which was a mistake. A bit embarrassed.
derek68 0 Light Poster
Hi J...any ideas yet? Would it make sense to do a repair install of windows? Would that help me I guess is the question?
jholland1964 650 Posting Expert Team Colleague Featured Poster
You probably have damaged the system with all the running of combofix, the two or more av programs running at the same time.
Honestly, if it were my own computer, I would forgo repair and I probably would reformat entirely and reload.
crunchie 990 Most Valuable Poster Team Colleague Featured Poster
I agree with Judy on this one. Back up what you need and make a fresh start.
derek68 0 Light Poster
Ouch...but what I expected. Thanks for all the help!
jholland1964 650 Posting Expert Team Colleague Featured Poster
derek, you know you have a lot of damage there. Trying to just repair would be like trying to repair a silk suit with cotton patches, it would LOOK lousy and not feel very good either.
Go back to factory, install all your drivers, then get all operating system updates to today, then install your 1 anti-virus program, 1 firewall and then all your programs.
derek68 0 Light Poster
Hi J...will do. What is your recommendation for AV and Firewall (I am assuming some sort of firewall beyond my browser...yes?)
Thanks again for your help.
jholland1964 650 Posting Expert Team Colleague Featured Poster
Anitvirus, Avira Free, without a doubt. #1 in testing, I have used it for several years. Firewall, well, certainly NOT AVG or McAfee. :D
ONLINE ARMOR Firewall,
PC TOOLS FIREWALL,
COMODO are just a few of the free ones available. All are very good.
I can get you printscreens for Avira for proper configuration and intructions for which every firewall you happen to choose.
Edited by jholland1964 because: n/a
gerbil 216 Industrious Poster
Derek, I was going to post a few notes...
"i performed a repair install of win XP"... this will replace system files and some of the M$ part of registry, but does not necessarily repair malware damage; it will not remove malware files etc.
From the Pg1 combofix, an authorized app in firewall policy: "c:\\Documents and Settings\\Wool\\temp\\TeamViewer\\Version5\\TeamViewer.exe"= ;;; don't intall software into Docs and Sets, or Temp folders. I assume that you know it is there? It is monitoring and control software, generally available. It does not show in the DDS scan, did you install it? It is a bit of a worry if you did not.
Your error code 0x00000023 is indicative of a FAT file system error, perhaps related to antivirus.
Your internet failure.... you could just run this reg file to merge it with your registry [tcpip.reg dated 3/24].
c:\documents and settings\All Users\Application Data\bKhJcMk05200 : what is this folder?
Plenty of AVG in the [from CF log] c:\windows\LastGood.Tmp\system32\DRIVERS\ folder...
This folder should have been removed by Setup when the Repair completed. C:\$WIN_NT$.~BT - it controls the second phase of the repair/installation.
I do agree with Judy that a fresh installation will fix all that; the pain, at least for me, is updating, fixes and driver loading - it's a time thing. You have a whole lot of software to reload.... As far as data goes, I first image the old partition before formatting it, and copy back at leisure.
Good luck with it...
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.